After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may be the result of a global cyberfraud operation.

UPDATE (01/26/2009): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to be the largest in U.S. history.

UPDATE (02/12/2009): According to BankInfoSecurity.com, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200.

UPDATE (06/04/2009): While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.

UPDATE (06/16/2009): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton,N.J.-based Heartland.

UPDATE (07/06/2009): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security.

UPDATE (08/20/2009): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey - along with two unnamed Russian conspirators - on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

Total records breached: 100 million transactions per month. It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision.

UPDATE (08/20/2009): According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.

UPDATE (05/12/2010): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits against it for four million. So far, Heartland has recovered about $30 million from insurance companies.

UPDATE(06/02/2010): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer.

UPDATE (09/01/2010): Heartland Payment Systems has agreed to settle with Discover for five million dollars. Discover will use the money to cover costs of fraud incidents and reissuing cards.

UPDATE (09/19/2010): Jerome Abaquin Gonzales is expected to surrender to police and serve jail time for participating in a credit card forgery ring which used information from the Heartland breach. The information came from the 4.2 million Discover credit card customers who used their cards at Hannaford Brothers.

UPDATE (09/22/2010): Thomas Michio Taniguchi was sentenced to prison for his role in the forgery ring in which Jerome Abaquin Gonzales also participated.

UPDATE (12/07/2011): Heartland legal representatives were able to successfully argue that most of the claims against Heartland that were filed by nine banks should be dismissed. All but one claim was dismissed.

UPDATE (02/12/2012): The nine banks may have had their claims against Heartland dismissed because Heartland reported that sharing a contractual relationship with the banks defeats their appeal. However, the credit-card-issuing banks are arguing that a New Jersey economic loss rule only bars claims for foreseeable economic losses when the parties are in a contractual relationship and does not bar their negligence claim against Heartland.

UPDATE (07/25/2013): Five more foreign hackers were charged for their role in stealing information from Heartland Payment Systems, NASDAQ, Dow Jones, JetBlue, and J.C. Penney.

The TJX Companies Inc. experienced an unauthorized intrusion into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. According to its Web site, TJX is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.

Note on our total: included in this breach are 45,700,000 credit and debit card account numbers; 455,000 merchandise return records containing customer names and driver's license numbers; recovery of about 200,000 stolen credit card account numbers; records then 1indicated an additional 48 million people have been affected. Totals were estimated at 94 million but now seem to have affected over 100 million accounts.

UPDATE (2/22/2007):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on various subsequent dates that year.

UPDATE (3/21/2007): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.

UPDATE (3/29/2007): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers.

UPDATE (4/22/2007): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.

UPDATE (05/04/2007): An article in the WSJ notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held price-checking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards.

UPDATE (07/10/2007): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.

UPDATE(08/31/2007): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

UPDATE (09/21/2007): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.

UPDATE (09/25/2007): TJX announced the terms of a settlement for customers affected by the data breach -- with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court.

UPDATE (10/23/2007): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.

UPDATE (10/23/2007):The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million.

UPDATE(11/30/2007): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc.

UPDATE (12/05/2007): An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

UPDATE (12/18/2007): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards.

UPDATE (2/10/2008): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement.

UPDATE (4/2/2008): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

UPDATE (5/14/2008):The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX's previously announced Settlement Agreement with MasterCard.

UPDATE (8/5/2008): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.

UPDATE (8/30/2008): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that would have enabled the bank to avoid canceling and replacing customer debit cards.

UPDATE (9/22/2008):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

UPDATE (6/26/2009): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

UPDATE (7/28/2009): Pennsylvania and 40 other states reached a $9.75 million settlement.

UPDATE (9/4/2009): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks' expenses in pursuing the legal action.

UPDATE (12/15/2009):A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28, reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008.

UPDATE(3/17/2010): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network.

UPDATE(3/29/2010): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000-a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney's media representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C. and Puerto Rico, had kept their identity secret. No more and that.s the way Woodlock wanted it.

UPDATE(4/16/2010): Damon Patrick Toey, the 'trusted subordinate' of TJX hacker Albert Gonzalez, was sentenced in Boston to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice Department.

UPDATE (7/8/2010): TJX has settled another lawsuit. The Louisiana Municipal Police Employees' Retirement System, a shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files.

UPDATE (4/8/2011): Albert Gonzalez is appealing his conviction for his role in a
large data breach by claiming that his actions were authorized by the Secret
Service. The government acknowledged that Gonzalez was a key undercover Secret Service informant at the time of the breaches. In a 25-page petition, Gonzalez faulted one of his attorney's for failing to prepare a "Public Authority" defense, which would have argued that he committed crimes with the approval of government authorities.

Information Source:Dataloss DB

records from this breach used in our total: 100,000,000

February 5, 2015

AnthemIndianapolis, Indiana

BSF

HACK

80 million

Anthem, the second largest health insurance company operating under Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink has suffered a massive data breach.

The company announced that they have been the victim of a "very sophisticated external cyber attack" on their system. The information compromised includes names, birthdays, medical ID's, Social Security Numbers, street addresses, e-mail addresses, employment and income information.

Over the next several weeks, those who were affected will be receiving some form of identity theft protection.

For those members with questions regarding the breach, the company has set up a toll- free line at 1-877-263-79951-877-263-7995 FREE.

More Information: For the statement by Anthem's CEO Joseph R. Swedish and the dedicated website created for customer information, click here.

UPDATE (2/10/2015): As further investigations are pursued regarding the Anthem breach, research by Brian Krebs and others show that the hacking began as early as April 2014 and is pointing to Chines hacker group known as "Deep Panda".

At the time, Anthem was called Wellpoint, and upon further investigation Krebs "discovered a series of connected domain names that appear to imitate actual Wellpoint sites, including we11point.com and myhr.we11point.com."

Because these sites were contructed almost 10 months prior, the question has now been raised as to why it took the company such a long time to uncover the hacking.

The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their service numbers.

Information Source:Dataloss DB

records from this breach used in our total: 76,000,000

September 2, 2014

The Home DepotAtlanta, Georgia

BSR

HACK

56,000,000

The Home Depot appears to be another victim of a data breach of their POS systems, reportedly by the same Russian hacking group that hit Target, Michaels, Neiman Marcus and P.F. Chang's.

Brian Krebs of Krebs on Security reported that a significantly large amount of debit and credit card information went up for sale on the underground cybercrime sites, all leading back to purchases made at Home Depot stores across the US.

Home Depot is currently investigating the potential breach. Updated postings will follow as more information comes in.

UPDATE (9/10/2014): The Home Depot has now confirmed that their credit card processing systems were compromised in 2,200 of its stores across the U.S and Canada. Currently, no information has been released as to the number of individuals affected. Authorities are predicting this could surpass the 40 million individuals affected by the Target hacking.

UPDATE (9/16/2014): "A group of attorneys general have opened a multistate investigation
into the recently confirmed data breach at Home Depot Inc."

Attorneys General in Connecticut, Illinois and California will be leading the investigation to uncover the cause of the data breach and how the retailer has handled the breach with their affected customers.

More Information:http://www.bna.com/attorneys-general-launch-n17179894898/

UPDATE (9/18/2014): The Home Depot has announced the data breach they suffered earlier this month has affected approximately 56 million credit and debit cards. This makes this breach the second largest breach ever, just behind TJX'x co's breach of 90 million records. The also announced that they see no evidence of any breach of their stores in Mexico or for those who shopped at their online store, HomeDepot.com.

UPDATE (9/26/2014): At least 15 law suits have been filed against The Home Depot for the recent data breach that occurred in US and Canadian stores. The lawsuit alleges that The Home Depot neglected to secure customers' financial and personal information. Most of the cases were filed by customers, however two credit unions and one bank have also filed suit.

UPDATE (9/29/2014): The Home Depot has posted a page on their website regarding the recent data breach, for consumers who were affected. This page will advise you on what to do and how to obtain information to take advantage of the free 12 month credit monitoring services. Make sure to scroll down past the photo.

More Information: https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspx

UPDATE (11/14/2014): The Home Depot has now announced that on top of the 56 million customers who had financial information compromised in the breach, the hackers also made off with 53 million email addresses of customers as well.

More Information: http://krebsonsecurity.com/category/data-breaches/

UPDATE (11/25/2014): The Home Depot is facing 44 civil lawsuits in the U.S and Canada as a result of the data breach that occured across the organizations retail stores.

Currently the company "has been working to deploy EuroPay MasterCard Visa (EMV)
chip-and-pin security at each of its U.S. and Canadian stores. The
breach compromised the financial details of customers who shopped at any
of Home Depot's 2,266 stores in the U.S. and Canada".

Over 40 million card accounts
were exposed to potential fraud due to a security breach that occurred
at a third-party processor of payment card transactions. Of the more
than 40 million accounts exposed, information on 68,000 Mastercard
accounts, 100,000 Visa accounts and 30,000 accounts from other card
brands are known to have been exported by the hackers. The data exported
included names, card numbers and card security codes.

UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate security measures to protect sensitive personal information. The company must implement a comprehensive security program and obtain audits every 2 years for 20 years.

UPDATE (5/12/2006) CardSystems filed for bankruptcy.

UPDATE
(5/28/2009)
Merrick Bank has launched a multi-million dollar lawsuit against Savvis,
accusing the vendor of erroneously telling it that CardSystems Solutions
complied with Visa and MasterCard security regulations less than a
year before the payment processor's systems were hacked, compromising
up to 40 million credit card accounts. Less than a year later the
security breach occurred. Hackers were able to get hold of the data
because CardSystems kept unencrypted card information on its servers
- in contravention of the regulations for which Savvis certified it.

Target discovered that hackers may have accessed customer debit and credit card information during the Thanksgiving and Christmas shopping season. Customers who used a payment card at any of Target's stores nationwide between November 27, 2013 and December 15, 2013 may have had their payment card information copied for fraudulent purposes. Credit card companies and banks have been notifying customers of the issue and advising them to watch for suspicious charges. Customer names, credit or debit card numbers, card expiration dates, and card security codes were taken and have appeared on the black market.

UPDATE (12/24/2013): Target now faces at least three class-action lawsuits as a result of the breach. A wave of scam artists are attempting to profit from the breach by posing as Target or bank representatives addressing the breach. People who shopped at Target are being warned not to give their information out over the phone. Target is working with the U.S. Department of Justice and the Secret Service to investigate the breach.

UPDATE (12/27/2013): Target customers are also being warned to be suspicious of emails claiming to be from Target or banks that request personal information. It is estimated that the breach may cost Target up to $3.6 billion. It appears that online customers were not affected.

UPDATE (12/28/2013): Target confirmed that PINs associated with payment cards were also exposed.

UPDATE (1/2/2014): East-West bank has issued a letter to their card holders warning that some of their accounts may have been compromised due to the Target data breach. East-West bank has issued new credit cards to their customers who shopped at any Target stores to reduce any potential unauthorized use of a card. (Source CA Attorney Generals' Office)

UPDATE (1/10/2014): Target Corp. says that up to 70 million people were affected by the data breach, significantly more than was originally suspected. Experts predict the numbers could climb even higher than 70 million once the company completes its investigation.

UPDATE (1/13/2014): Target Corp. has confirmed that malware was found on the Point of Sale devices. The malware has been removed. The number of individuals affected are now said to be 110 million individuals, 70 million more than originally thought.

UPDATE (1/13/2014): Security experts are stating that Target may not be alone in the data breach. Neiman Marcus and at least 3 other unnamed retailers (these retailers are thought to be located in Eastern Europe) may also have been compromised as federal investigators track what they believe to be an international crime ring.

UPDATE (1/14/2014): Companies that help Target process payments could be facing millions of dollars in fines and costs as a result of the data breach.

UPDATE (1/16/2014): The malware that infected in the Target POS systems has been found and is known as the Trojan.POSRAM, according to new report by investigators. "The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and then stores it on the victims system for later retrieval". The malware was originally thought to have been developed in Russia, known as BlackPOS. This new version is considered to be highly customized so that current anitvirus programs would not have detected it as reported by investigative agencies.

UPDATE (1/20/2014): "A 17 year-old Russian national from St. Petersburg is thought to be responsible for the malicious programming that allowed for data from Target and Neiman Marcus to be compromised," according to a California based security firm.

UPDATE (1/21/2014): Two Mexican citizens were arrested at the border in South Texas for the purchase of thousands of dollars worth of merchandise with information stolen during the Target security breach, as reported by a South Texas police chief.

A spokesman with the Secret Service announced that the investigation is ongoing into the possibility of a link between the Target breach and the two arrested in Texas.

UPDATE (1/29/2014): The malware used in the Target attack could suggest a poorly secured feature built into a popular IT management software product that was running on the retailers internal newtork.

UPDATE (1/29/2014): A Target Corp. investor filed suit in Minnesota federal court Wednesday, against the retailers Executives holding them liable for damage caused by the holiday season data breach that saw hackers steal personal and financial information from tens of millions of customers.

Shareholder Maureen Collier filed the suite with a complaint alleging that Target's board and top executives harmed the company financially by failing to take adequate steps to prevent the cyberattack then by subsequently providing customers with incomplete and misleading information about the extent of the data theft.

"The suit brings claims of breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control, and seeks monetary damages on behalf of the company from the 14 named officers and directors".

UPDATE (2/5/2014): Hackers who broke into Target's computer network and stole customers'
financial and personal data used credentials alledgedly were stolen from a
heating and air conditioning subcontractor in Pennsylvania, according to
digital security journalist Brian Krebs.

It appears as though the air conditioning company was given access to Target's
computer network in order for the vendor to make remote changes to the system to cut heating and cooling costs. Target has not confirmed the accuracy of this report.

UPDATE (2/6/2014): Target Corporation announced they are fast tracking new credit card security technology in their stores, 6 months earlier than originally planned. Target's CFO announced it is moving up its goal to utilize chip-enabled smart cards,
and now plans to have them in stores by early 2015. These cards encrypt point of sale data,
rendering the credit card number less useful if stolen. Currently this technology is more prevalent outide of the US, but have resulted in
lower card number thefts in other countries, notably Canada and the
United Kingdom.

UPDATE (2/15/2014): The breach at the Target Copr. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at the HVAC contractor Fazio Mechanical in Sharpsburg Pennsylvania. According to Krebs on Security, "multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers."

UPDATE (5/5/2014): Target's CEO has resigned in the wake of the data breach over the holiday season. He is claiming the breach was his fault. He is the second major executive to resign. Earlier in the year the company's Chief Technology Office resigned as well. The CFO of the company will take over as the interim CEO.

UPDATE (8/7/2014): Target has announced that the data breach will cost it's shareholders $148 million.

UPDATE (12/9/2014): A Minnesota ruled that a lawsuit put forth by several banks could proceed as the court stated that Target failed to adequately defend against the massive data breach they suffered. This is the first time a data breach case of this size has moved forward based on a companies failure to respond to warnings from security software/experts.

The November 6 defacement of Steam forums led to an investigation that revealed hackers had accessed a Steam database with sensitive user information. The database contained user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information. Users were prompted to change their Steam forum passwords and encouraged to change their Steam account passwords. Anyone using their Steam forum password for other websites should change their password since hackers could have obtained email address and password combinations. Steam is the Valve Corporation's social-distribution network. People who use the company's online gaming content were affected.

UPDATE (11/16/2012): A judge dismissed a class action lawsuit related to the November 6, 2011 breach. The plaintiffs of the lawsuit used Steam to purchase and access online gaming content. They alleged present and future harm as a result of the breach. According to the judge who dismissed the lawsuit, the plaintiffs did not prove that they were harmed by the Steam breach.

Information Source:Databreaches.net

records from this breach used in our total: 35,000,000

May 22, 2006

U.S. Department of Veterans AffairsWashington, District Of Columbia

GOV

PORT

26,500,000

(800) 827-1000

On May 3, data of all American
veterans who were discharged since 1975 including names, Social Security
numbers, dates of birth and in many cases phone numbers and addresses,
were stolen from a VA employee's home. Theft of the laptop and computer
storage device included data of 26.5 million veterans. The data did
not contain medical or financial information, but may have disability
numerical rankings.

UPDATE
(6/29/06): The stolen laptop computer and the external hard
drive were recovered.

UPDATE
(7/14/06): FBI claims no data had been taken from stolen computer.

UPDATE(8/5/06):
Two teens were arrested in the theft of the laptop.

UPDATE
(8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans
of the decision to not offer them credit monitoring services. Rather
the VA has contracted with a company to conduct breach analysis to
monitor for patterns of misuse.

UPDATE
(11/23/07): A federal judge questioned the Veterans Affairs Department's
computer security and ruled Friday that lawsuits can go forward over
the theft of computer equipment containing data on 26.5 million veterans.
The lawsuits have been filed as potential class-action cases representing
every veteran whose data was released.

UPDATE
(1/23/09): The Department of Veterans Affairs has agreed to pay $20
million to current and former military personnel to settle a class
action lawsuit.

UPDATE
(6/16/09): No less than $75 will be paid for any valid claim, up to
a cap of $1,500. If your expenses were higher than that, you might
want to opt out of the class-action portion so you can file for your
actual damages. In that case, you need to file a letter so it is received
by June 29, 2009. You have until Nov. 27, 2009, to mail your claim
form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767.
Be sure to keep a copy of the claim form, along with your proof of
mailing. To download the claim form and to get more information, go
to www.veteransclass.com.
Read the FAQ and note the particulars on out-of-pocket expenses and
actual damages. You also can call (888) 288-9625.

UDPATE (10/19/12): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.

Information Source:Dataloss DB

records from this breach used in our total: 26,500,000

August 2, 2008

Countrywide Financial Corp.Calabasas, California

BSF

INSD

17,000,000

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.

UPDATE (1/30/2009): Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports.

UPDATE(4/09/2010): Employees of Countrywide Financial stole and sold "tens of thousands, or millions" of customers' personal financial information, invading their privacy and exposing them to identity theft, according to class action claims in Ventura County Court, CA. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of America, which bought Countrywide, the poster boy for the subprime mortgage crisis.

UPDATE(5/08/2010): For information about the settlement, visit www.CWdataclaims.com or call (866) 940-3612.

UPDATE (8/24/2010): Bank of America has settled over 30 lawsuits involving Countrywide Financial customer data theft. As many as 17 million customers who received a mortgage or used Countrywide to service a mortgage before July 1, 2008 will receive reimbursement and identity theft insurance. Identity theft claims can be filed after September 6.

UPDATE (9/28/2011): A former employee responsible for the breach was sentenced to eight months in prison and ordered to repay $1.2 million in costs.

UPDATE (7/13/2012): A small group of people objected to a proposed settlement and decided to split from a larger class action lawsuit. A court dismissed their claim because they could not sufficiently prove an out of pocket loss.

The company lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers.

UPDATE (5/07/08): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People's United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.

UPDATE (5/31/08): The Hartford Courant reports the following figures regarding the number of Connecticut shareholders affected by the lost computer tape: 403,894 People's United Bank 33,586 John Hancock Financial 18,361 Walt Disney Co. 10,000 the remaining shareholders

UPDATE (8/30/08): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million.

UPDATE (2/19/09): The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection. It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach.

The location listed is the U.S. headquarters of Sony. Additional information reveals that a Sony data center in San Diego was attacked by cyber criminals.

Sony discovered an external intrusion on PSN and its Qriocity music service around April 19. Sony placed an outage to block users from playing online games or accessing services like Netflix and Hulu Plus on Friday April 22. Sony says the outage will continue until the situation is addressed, which will likely be within the next week. Sony believes an unauthorized person has obtained names, addresses, email addresses, dates of birth, PlayStation Network/Qriocity password and login, and handle/PSN online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. User credit card numbers may have also been obtained. Sony has hired a security firm to investigate the incident and strengthen the network infrastructure by re-building their system to provide greater protection of personal information.

An individual filed a class action lawsuit on behalf of all PSN users following seven days of a Sony PlayStation Network outage. The lawsuit alleges that Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line." It also accused Sony of violating the Payment Card Industry (PCI) security standard, which prohibits companies from storing cardholder data.

UPDATE (5/3/2011): A review of Sony's network breach revealed that it was larger than first thought. Sony turned the SOE system off. Hackers may have taken personal information from an additional 24,600,000 user accounts in Austria, Germany, the Netherlands and Spain. Names, addresses, genders, email addresses, login name and associated password, phone numbers and birth dates of SOE gaming customers, as well as data from about 12,700 credit card accounts and 10,700 bank accounts from an outdated 2007 database could have been accessed. The outdated account information that may have been obtained by hackers includes credit card numbers, debit card numbers, expiration dates, bank account numbers, customer names, account names and customer addresses.

The SOE network hosts games that are played over the Internet on personal computers and is separate from the PlayStation network. Sony has not clearly indicated if credit card numbers were compromised. At least one report indicates that the numbers were encrypted. These breached records will not be added to the total until more is known.

UPDATE (5/6/2011): Sony now indicates that some credit card numbers were compromised. Twelve million credit card numbers were unencrypted and could easily be read.

UPDATE (5/7/2011): Sony discovered that hackers had placed customer information online. Sony removed the information. It included customer names and addresses from a 2001 Sony database.

Service restoration for the PlayStation network was indefinitely delayed. Additionally, the CEO issued an apology letter.

UPDATE (5/17/2011): Hackers began changing user passwords by using PSN account emails and dates of birth within two days of the partial restoration of the PlayStation Network. Sony failed to alter the password reset system to account for hackers having obtained user email addresses and dates of birth. Users who changed their passwords, but not the email associated with their PlayStation Network accounts, were vulnerable to the hacker exploit. Sony shut down the PlayStation Network again and released a short statement about the incident.

UPDATE (6/4/2011): A concise history of the Sony hacks can be found here.

UPDATE (7/21/2011): Zurich American, one of Sony's insurers, is suing to deny releasing data breach coverage funds to Sony. Sony expects the breach to lower operating profit by $178 million in the current financial year. A total of 55 class action complaints have been filed.

UPDATE (10/11/2011): Sony Online Entertainment became aware of a large number of unauthorized sign-in attempts. The attempts took place between October 7 and 10. About 93,000 PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment services accounts may have been compromised. The unauthorized parties appear to have verified valid sign-in IDs and passwords after a number of failed attempts. Sony temporarily locked those accounts. It is unclear if the email addresses were obtained from a previous breach.

UPDATE (10/19/2012): A federal judge found that Sony users signed a privacy policy informing them that Sony's security was not perfect. Sony was cleared of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes. The judge ruled that plaintiffs could not claim that Sony violated consumer-protection laws because PSN services were free of cost. This dismissed much of the lawsuit.

UPDATE (12/16/2013): Sony agreed to drop an insurance claim over litigation related to the 2011 breach.

UPDATE (7/30/2014): "Sony recently offered to settle a class action lawsuit over the 2011 breach of its PlayStation Network. According to the terms of the proposed $15 million settlement, the money will be paid out in the form of games. Class members who didn't take advantage of initial "Welcome Back" package of games and memberships offered in 2011 will receive on of the 14 PlayStation 3 or PlayStation Portable games, as well as three of six PS3 themes or a three-month PlayStation Plus subscription. Qriocity users will get one month of free access."

A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information. UPDATE (8/27/07):The company first estimated that about 2.3 million records were affected but quickly boosted that number to 8.5 million in filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach. UPDATE (11/23/07): A former database analyst at Certegy Check Services Inc., has agreed to enter a guilty plea to federal fraud and conspiracy charges in connection with the theft of data. UPDATE (7/7/08):A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of consumer records from Certegy Check Services. UPDATE (7/7/08): A new settlement provides that all class members whose personal or financial information was stolen can get compensated up to $20,000 if they were not reimbursed for certain identity theft losses caused by the data theft. The losses covered could have occurred from Aug. 24, 1998, to Dec. 31, 2010. www.datasettlement.comUPDATE (4/26/10): As part of a class action settlement in U.S. District Court in Tampa, consumers were given the opportunity to elect credit monitoring for one year or bank account monitoring for two years and were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. Consumers also were able to request credit monitoring at the company's expense immediately after the thefts were announced. The settlement with the Attorney General's office ensures that Certegy will maintain a comprehensive information-security program. This program will assess internal and external risks to consumers' personal information, implement safeguards to protect that consumer information, and will regularly monitor and test the effectiveness of those safeguards. Certegy and its related entities also agree to adhere to payment card industry data security standards as those standards continue to evolve. As part of the settlement, Certegy is donating $125,000 to the Attorney General's Seniors vs. Crime Program for educational, investigative and crime prevention programs for the benefit of senior citizens and the community and will pay $850,000 for the state's investigative costs and attorney's fees related to the case.

Information Source:Dataloss DB

records from this breach used in our total: 8,500,000

March 30, 2012

Global Payments Inc.Atlanta, Georgia

BSF

CARD

7,000,000

Global Payments discovered a massive breach of their systems in early March 2012. Global Payments processes credit and debit cards for banks and merchants and a number of credit and debit cards issued to businesses were determined to be compromised. The breach was discovered when Global Payments' security systems detected unusual activity.

UPDATE (04/02/2012): Global Payments created a breach information website for consumers. Global Payments claimed that only a few of their North American servers were affected by the breach. They also claimed that around 1.5 million users had Track 2 data (card expiration date and credit card number) exposed. Media reports that up to 10 million consumers had their names, addresses, and Social Security numbers credit exposed were denied by Global Payments. Visa has removed Global Payments from their list of compliant service providers as a result of the breach.

UPDATE (04/05/2012): The breach occurred sometime between January 21 and February 25 of 2012 (REVISED TO JUNE OF 2011). Fraudulent activity has already been detected on around 800 cards.

UPDATE (05/01/2012): It appears that a hacker or hackers were first able to access Global Payments Inc. in June of 2011. Global Payments revised their initial estimate and believe that card holders and banks were affected at least as far back as June 2011. This could mean that at least seven million card accounts are vulnerable; though Global Payments still believe that only 1.5 million were affected.

UPDATE (07/26/2012): In addition to being dropped from Visa and Mastercard's lists of compliant companies, Global Payments spent nearly $85 million on security repairs and upgrades.

UPDATE (07/30/2012: Global Payments informed Comerica Bank in June that their ongoing investigation revealed a potential unauthorized access to its servers that contain merchant application data.

UPDATE (01/10/2013): Global Payments has incurred $94 million in fees associated with the breach. A total of $60 million was paid for professional fees and other costs associated with investigating the breach and remediation for its effects. The $60 million was also used to cover incentive payments to business partners and the cost of providing credit monitoring and identity protection insurance. An additional $35.9 million went towards estimated fraud losses, fines, and charges imposed on Global Payments by card networks. Global Payments received $2 million from insurance recoveries.

Global Payments also reported that it has now paid all fines related to non-compliance and has updated its systems and processes in order to be returned to the payment card network list of PCI-DSS compliant service providers.

UPDATE (04/15/2013): An April 2012 class action lawsuit related to the breach was dismissed on March 6. Global Payments also confirmed that the expenses associated with the breach totaled $92.7 million. A total of $20 million in breach losses was recuperated through insurance recoveries. In April 2013, Global Payments closed its investigation of the breach.

Information Source:Databreaches.net

records from this breach used in our total: 7,000,000

April 27, 2012

Office of the Texas Attorney GeneralAustin, Texas

GOV

DISC

6.5 million

Lawyers responsible for challenging a voter ID law in Texas requested the Texas voter database for analysis. The Texas Attorney General's office released encrypted discs with the personal records of 13 million Texas voters, but half still contained Social Security numbers. A state police officer was dispatched to New York, Washington D.C., and Boston to retrieve the encrypted discs when the opposing lawyers revealed that a mistake had occurred.

Information Source:Media

records from this breach used in our total: 6,500,000

October 26, 2012

South Carolina Department of RevenueColumbia, South Carolina

GOV

HACK

6.4 million

Citizens concerned about exposure may visit protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422.

South Carolina Department of Revenue's website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.

UPDATE (10/31/2012): Tax records dating back to 1998 were exposed. A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.

UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach. Trustwave is an international company based in Chicago.

UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers. It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled. Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.

UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed. Additionally, 3.3 million tax payers had bank account information obtained. It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.

UPDATE (01/11/2013): A State IT division director reported that the SCDOR's former chief information officer and current computer security chief were notified on August 13 that 22 computers were infected with malicious code. The State's division of IT recommended that passwords be reset after the discovery, but they were not reset.

UPDATE (03/01/2013): A lawsuit brought against TrustWave and SCDOR by a former state senator has been dismissed by a judge. The former senator accused the agencies of conspiring to hide the fact that a massive breach had occurred and failing to adequately protect taxpayers from a potential hack.

UPDATE (04/02/2013): About 1,448,798 people signed up for free individual credit monitoring and 41,446 signed up for free family credit monitoring.

UPDATE (10/25/2013): It is estimated that South Carolina taxpayers will pay at least $8.5 million to pay for one year's worth of free credit monitoring to those affected by the data breach. Over 650,000 businesses had their tax information exposed.

One of TD Ameritrade's databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. "We were able to conclude that while Social Security numbers are stored in this particular database, your SSN were not retrieved." The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted spam because of this breach.

UPDATE (4/28/09):TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been compromised:" [W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases ... to be retrieved by an external source [and] Social Security Numbers are stored in this particular database."

UPDATE (10/27/09): TD Ameritrade was nearing a settlement in the case of more than six million stolen records when the judge, who previously seemed to agree with the proposal, rejected it today. The federal judge handling the case has decided the proposed settlement provides no discernible benefit to the victims and he rejected the proposed settlement.

UPDATE (11/16/10): Pending approval by a U.S. District Judge, TD Ameritrade will offer between $0 and $2,500 to customers who were affected by the breach. Customers who received spam, or were victims of criminal identity theft because a criminal who was arrested posed as them, will get $0 unless they were also victims of account-fraud-based identity theft. This settlement will cost between $2,500,000 and $6,500,000.

SAIC may be contacted at (855) 366-0140 for domestic calls and (952) 556-8312 for international calls. SAIC's website is http://www.saic.com/

The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system that dates from 1992 to September 7, 2011 could have been exposed. The personally identifiable and protected health information of those who received care in the San Antonio area military treatment facilities and others whose laboratory workups were processed in these facilities was exposed. It includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. The information was stolen from the car of an SAIC employee, along with a stereo system and a GPS device on September 13.

UPDATE (10/16/2011): Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1000 to each of the 4.9 million affected individuals.

UPDATE (11/4/2011): SAIC reported that 5,117,799 people were affected by the breach.

UPDATE (01/06/2012): A second class action lawsuit filed in the Superior Court of California in San Diego seeks unspecified monetary damages related to the theft of the computer tapes targets SAIC. The suit was filed in December and seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the September 2011 theft of the tapes.

UPDATE (03/14/2012): Some of the people affected by the breach have become victims of identity theft. The class action lawsuit against the Department of Defense and SAIC was amended to reflect the new information about fraudulent charges appearing on credit cards.

UPDATE (04/08/2012): SAIC's insurance will most likely be enough to cover any judgments or settlements that result from the data breach. SAIC also revealed that the Office for Civil Rights in the Health and Human Services Department opened an investigation into the tape theft on November 17, 2011.

UPDATE (07/10/2012): Eight class action lawsuits have been consolidated into one case alleging that personal information was mishandled. The case will be handled by the U.S. District Court in Washington, D.C.

UPDATE (5.13.2014): On Friday, "a federal district judge dismissed the majority of a
consolidated class-action lawsuit filed against the Department of
Defense, its TRICARE health insurance program and a contractor following
a 2011 data breach that affected over 4.7 million individuals.

In his ruling,
U.S. District Judge James Boasberg wrote that the case raises "thorny
standing issues regarding ... when is a consumer actually harmed by a
data breach -- the moment data [are] lost or stolen or only after the
data [have] been accessed or used by a third party?

He noted that
most courts "have agreed that the mere loss of data -- without evidence
that [the information] has been either viewed or misused -- does not
constitute an injury sufficient to confer standing," adding, "This court
agrees" (Kolbasuk McGee, GovInfoSecurity, 5/13)".

Information Source:Media

records from this breach used in our total: 5,117,799

January 6, 2009

CheckFree Corp.Atlanta, Georgia

BSF

HACK

5,000,000

CheckFree Corp. and some of the
banks that use its electronic bill payment service say that criminals
took control of several of the company's Internet domains and redirected
customer traffic to a malicious Web site hosted in the Ukraine. The
company believes that about 160,000 consumers were exposed to the
Ukrainian attack site. However, because the company lost control of
its Web domains, it doesn't know exactly who was hit. It has warned a much larger number of customers. This breach was reported back
in Dec. 3, 2008.

Information Source:Dataloss DB

records from this breach used in our total: 5,000,000

August 18, 2014

Community Health SystemsFranklin, Tennessee

MED

HACK

4.5 million

Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system. The breach occured when hackers infiltrated the server of the health system compromising Social Security numbers, names and addresses for 4.5 million patients. Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014.

The company operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack.

UPDATE (8/26/2014): Five Alabama residents have filed a class-action lawsuit against Community Health Systems following last week's announcement of the data breach of 4.5 million patients.

Information Source:Media

records from this breach used in our total: 4,500,000

March 17, 2008

Hannaford Bros. Supermarket chainPortland, Maine

BSF

HACK

4.2 million

(866) 591-4580

This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission process. It's unclear if personal information was exposed.

UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made.

UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims.

UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges.

UPDATE (3/29/2013): A United States District Court for the District of Maine has denied a motion that would have allowed a lawsuit to proceed as a class action. The plaintiffs originally moved to certify the proposed class on September 4, 2012. http://tinyurl.com/bsg9xpu

Information Source:Dataloss DB

records from this breach used in our total: 4,200,000

August 28, 2013

Advocate Medical Group, Advocate HealthPark Ridge, Illinois

MED

STAT

4 million

The July 15 office theft of four unencrypted desktop computers resulted in the exposure of patient information. Approximately four million patients who were seen by Advocate Medical Group physicians between the early 1990s and July of 2013 were affected. Names, Social Security numbers, addresses, and dates of birth were exposed. Diagnoses, medical record numbers, medical service codes, and health insurance information was also exposed in some circumstances.

UPDATE (09/06/2013): A class-action lawsuit on behalf of patients in the Chicago area has been filed. It claims that Advocate Medical Center should have done more to protect patient information.

Information Source:Media

records from this breach used in our total: 4,000,000

June 6, 2005

Citigroup, UPSNew York, New York

BSF

PORT

3,900,000

Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS.

Information Source:Dataloss DB

records from this breach used in our total: 3,900,000

April 11, 2011

Texas Comptroller's OfficeAustin, Texas

GOV

DISC

3.5 million

The data came from the Teacher Retirement Center of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.

Those who have questions about the breach may call 1-855-474-2065.

The information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, data that was not encrypted was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed. A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident.

UPDATE (4/13/2011): Approximately two million of the 3.5 million possibly affected are unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver's license numbers of some of these people were also exposed. The information was accidentally disclosed on a Comptroller's publicly accessible server. TWC provided uninsured claimant records from December 31, 2006 December 31, 2009 to the Comptroller's office in April of 2010 to assist in identifying individuals who may have unclaimed property. The information was sent in a protected manner using Secure File Transfer Protocol (SFTP), which encrypts the data during transmission over a state controlled network used by state agencies and universities.

UPDATE(5/6/2011): Two class action lawsuits have been filed on behalf of 3.5 million Texans who had their information exposed by the breach. The second class action lawsuit seeks a $1,000 statutory penalty for each affected individual.

UPDATE (2/13/2012): The cost of the credit monitoring services provided to those affected has passed $600,000. Currently, no taxpayers have linked fraudulent charges to the breach.

Information Source:Databreaches.net

records from this breach used in our total: 3,500,000

July 9, 2008

Division of Motor Vehicles Colorado, Colorado

GOV

DISC

3.4 million

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers.

Information Source:Media

records from this breach used in our total: 3,400,000

March 26, 2010

Educational Credit Management CorporationST. Paul, Minnesota

BSF

PORT

3,300,000

ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data.

UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence room.

Information Source:Dataloss DB

records from this breach used in our total: 3,300,000

October 21, 2013

Court VenturesAnaheim, California

BSO

DISC

3,100,000

Between October 2010 and December 2012, Court Ventures, a public records aggregator, provided access to US Info Search data to a foreign criminal posing as a legitimate private investigator.

Court Ventures had a contract with US Info Search where customers of Court Ventures had access to US Info Search data which included records on more than 200 million Americans, including individuals' Social Security numbers, dates of birth, and other records.

Experian purchased the assets of Court Ventures in March 2012, and the criminal's access to the US Info Search data was shut down in December 2012. Experian has publicly stated that no Experian databases were breached in this situation.

UPDATE (3/10/2014): According to Krebs on Security, in March 2014, Hieu Minh Ngo pled guilty to running an identity theft business called Superget.info out of his home in Vietnam. Ngo posed as a private investigator when he contracted with Court Ventures to gain access to consumer records. Ngo was then able to provide access to the US Info Search database to his clients.

Krebs on Security states, "The government alleges that the service's customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb.2013, Ngo's customers made approximately 3.1 million queries on Americans."

Krebs adds, "That means that if Ngo's clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo's service is likely to have been many times that number - potentially as many as 30 million records."

UPDATE (2/23/2015): The total number of records indicated here has been changed to 3.1 million by PRC to reflect the approximate number of records queried by Ngo's customers according to the court transcript. [This 3/10/14 UPDATE was amended on 2/23/15 to include additional content from the Krebs on Security blog post of March 10, 2014, related to the Court Ventures breach.]

UPDATE (10/11/2013): Hackers kept the source code on a hidden, but unencrypted server.

UPDATE (10/21/2013): A second breach related to the initial one in early October caused Adobe to reset client passwords.

UPDATE (10/29/2013): An investigation revealed that the encrypted passwords of approximately 38 million active users were also exposed. Adobe IDs were also compromised and were reset by Adobe after the breach.

UPDATE (11/20/2013): Around 42 million passwords for the Australian-based online dating service Cupid Media were also found on the same server that contained stolen Adobe, PR Newswire, and National White Collar Crime Center information.

UPDATE (11/25/2013): Some estimate that 152 million Adobe ID accounts were in a file that began circulating the internet in late October. Adobe systems Inc has encountered delays in trying to notify all customers of the issue since it was discovered 10 weeks ago.

On January 25, 2014, Michaels Stores Inc. communicated with customers as to the possibility of a security breach regarding customers payment cards. They have not confirmed as of yet, that a breach did occur, however based on a preliminary investigation and in light of the recent Target and Neiman Marcus breaches, the company felt it was important to warn customers of the possibility of a breach.

Michaels is currently working with investigators as to the potential of this breach. No additional detailed information has been supplied by the company.

UPDATE (2/11/2014): A class action lawsuit has been filed against Michaels by an individual. The suit claims that "the arts and crafts
supplier failed to secure and safeguard customers’ private financial
information". The suit also alleges that "Michaels failed to adequately monitor
its payment systems in such a manner that would enable the retailer to
detect fraud or other signs of tampering so that the breach of security
and diversion of customer information was able to continue unnoticed
for a period of time".

It has also been reported that
Michaels failed to disclose a data breach that occurred in May of 2011. A
lawsuit was filed for the 2011 breach, but was settled.

The
company has not yet released the total number of individuals affected by
the breach or when the breach might have taken place.

UPDATE (7/22/2014): "A federal
court in Illinois
held
July 14 that an elevated risk of identity theft from a Michaels Stores
Inc. breach provides standing, but without evidence of specific
monetary damages that risk is insufficient to support statutory or
common law claims (Moyer v. Michaels
Stores, Inc.,
N.D. Ill.,
No. 1:14-cv-00561,dismissed
7/14/14).

Judge Elaine E. Bucklo of the U.S. District Court for the Northern
District of Illinois dismissed the case against the arts and crafts
retailer, finding that the plaintiffs failed to plead monetary
damages".

Information Source:Media

records from this breach used in our total: 2,600,000

November 27, 2013

Maricopa County Community College DistrictPhoenix, Arizona

EDU

UNKN

2.49 million

An unspecified data breach may have exposed the information of current and former students, employees, and vendors. Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.

UPDATE (12/02/2013): Student academic information may have also been exposed. The Maricopa County Community College District's governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.

UPDATE (12/07/2013): Estimations for the cost of the breach are as high as $14 million.

UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the "FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet". It was also reported that "the district's Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian".

Information Source:Media

records from this breach used in our total: 2,490,000

April 17, 2008

University of MiamiMiami, Florida

MED

PORT

2,100,000

(866) 628-4492

Computer tapes containing confidential
information of Miami patients was stolen last month when thieves took
a case out of a van used by a private off-site storage company. The
data included names, addresses, Social Security numbers or health
information.

Information Source:Dataloss DB

records from this breach used in our total: 2,100,000

March 2, 2006

Los Angeles County Department of Social ServicesLos Angeles, California

GOV

PHYS

Potentially 2,000,000

It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month. This affects employees and clients.

Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.

UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed. Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected. Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.

Health and Hospital Corporation is the group that runs the affected hospitals and clinics.

The New York City Health & Hospitals Corporation's North Bronx Healthcare Network experienced a breach. Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services. The theft occurred during December of 2010. The information on the tapes was from patients, staff members and associated employees and dated back to 1991. Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed.

Information Source:PHIPrivacy.net

records from this breach used in our total: 1,700,000

October 7, 2011

The Nemours FoundationWilmington, Delaware

MED

PORT

1.6 million

Three unencrypted computer backup tapes were reported missing on September 8. The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project. The cabinet was not found. The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004. Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.

UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected. In addition to medical treatment information, the payroll information of current and former employees was exposed. Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.

Information Source:PHIPrivacy.net

records from this breach used in our total: 1,600,000

November 18, 2009

Health NetShelton, Connecticut

MED

PORT

1,500,000

The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected.

UPDATE(1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.

UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.

UPDATE (1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company's information security programs throughout the next two years.

Information Source:Dataloss DB

records from this breach used in our total: 1,500,000

March 8, 2005

DSW Shoe Warehouse, Retail VenturesColumbus, Ohio

BSR

HACK

1,400,000

Credit card information from customers in 25 states was compromised.

UPDATE (04/19/2005): An additional
1,300,000 customers were added to the initial estimate of 100,000.

UPDATE (08/23/2012): DSW was locked in a dispute with National Union over insurance coverage. A federal appellate court ruled that DSW was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest.

On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.

UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed.

Information Source:Dataloss DB

records from this breach used in our total: 1,400,000

October 23, 2006

Chicago Voter DatabaseChicago, Illinois

GOV

DISC

1.35 million Chicago residents

An official from the not-for-profit
Illinois Ballot Integrity Project says his organization hacked into
Chicago's voter database, compromising the names, SSNs and dates of
birth of 1.35 million residents. The Chicago Election Board is reportedly
looking into removing SSNs from the database. Election officials have
patched the flaw that allowed the intrusion.

Information Source:Dataloss DB

records from this breach used in our total: 1,350,000

January 22, 2007

Chicago Board of ElectionChicago, Illinois

GOV

PORT

1.3 million

About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. The CDs also contain birth dates and addresses.

Information Source:Dataloss DB

records from this breach used in our total: 1,300,000

June 10, 2008

University of Utah Hospitals and ClinicsSalt Lake City, Utah

MED

PORT

2.2 million

Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.

UPDATE (2/5/09): The data tapes were found within a month after being stolen.

UPDATE(6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the University. Colorado Casualty was providing breach insurance to the University at the time of the breach.

The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach-related costs sought by the University.

New York State Electric & Gas (NYSEG), Rochester Gas and Electric (RG&E), Iberdrola USARochester, New York

GOV

DISC

878,000 NYSEG customers and 367,000 RG&E customers

Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies www.nyseg.com and www.rge.com.

An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party. Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed. A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected. An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.

UPDATE (07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused. In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards. The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.

AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.

UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought. The total now nears 1.1 million.

UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach. At least two of them believe that their personal information was misused as a result of this particular breach.

UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were "explicitly" able to prove a link between the breach and ID theft they incurred. The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.

UPDATE (09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.

UPDATE (10/29/2013): AvMed will pay $3 million.

UPDATE (3/6/2014): "Last week, a judge for the Southern District of Florida gave final approval to a settlement between
health insurance provider AvMed and plaintiffs in a class action
stemming from a 2009 data breach of 1.2 million sensitive records
from unencrypted laptops. The settlement requires AvMed to
implement increased security measures, such as mandatory security
awareness training and encryption protocols on company laptops.
More notably, AvMed agreed to create a $3 million settlement fund
from which members
can make claims for $10 for each year that they bought
insurance, subject to a $30 cap (class members who experienced
identity theft are eligible to make additional claims to recover
their monetary losses)".

Information Source:Media

records from this breach used in our total: 1,220,000

February 25, 2005

Bank of America Corp.Charlotte, North Carolina

BSF

PORT

1,200,000

Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost. Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected. Around 900,000 of the account holders affected were Defense Department employees.

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. "This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."

UPDATE (2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information. Failing to require brokers working remotely to install security software on personal computers led to the fine.

Information Source:Media

records from this breach used in our total: 1,200,000

October 20, 2014

Staples Inc.Framingham, Massachusetts

BSR

HACK

1.2 million

Several large banks notified Staples Inc. of unusual activity on credit and debit cards used at several locations in Northeastern United States.
According to Brian Krebs, Krebs on Security
"According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey".
Staples Inc. has more than 1800 stores nationwide and is currently investigating the potential breach.

UPDATE (11/17/2014): It appears that the breach that happened at Staples was conducted by the same cyber criminals that infiltrated Michaels stores. According to Krebs On Security "Multiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard
about cards impacted in the breach at Staples, and that to date those
alerts suggest that a subset of Staples stores were compromised between
July and September 2014."

UPDATE (12/19/2014): After an investigation, Staples Inc. said that nearly 1.2 million customers payment cards. "Staples said Friday that the investigation revealed that the hackers used malware that provided access to information for transactions at 115 of its stores. The hackers stole cardholder names, payment card numbers, expiration dates and card verification codes. The company is offering free identity theft protection services.

RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset.

UPDATE(2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.

UPDATE(2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay.

UPDATE(5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.

UPDATE (8/09/10): Sergei Tsurikov of Estonia was brought to Atlanta by the FBI. He pleaded not guilty to computer fraud, conspiracy to commit computer fraud, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft. The FBI is in the process of extraditing others involved in the international hack.

UPDATE (8/31/10): Another person has been charged with participating in the computer fraud attack. Vladislav Anatolievich Horohorin is alleged to have used a prepaid payroll card to conduct fraudulent attacks on ATMs in Moscow.

UPDATE (9/15/10): A previously unnamed member of the hacking group will be tried in a Russian court for his involvement in the RBS breach. Eugene Anikin's criminal case was forwarded to Zaeltsovskiy District Court in Novosibirsk for consideration.

UPDATE(2/7/2011): Yevgeny Anikin, 27, pleaded guilty to participating in a hacking ring that stole $10 million from former Royal Bank of Scotland division WorldPay.

UPDATE (8/21/2012): Sonya Martin was sentenced to 2.5 years in federal prison for fraudulently obtaining over $9 million from an Atlanta payroll company. She was a cell leader in the plan that involved organized computer hacking and ATM cashout schemes. She worked with other members of the network to target 2,100 ATMs in 280 cities around the world.

Information Source:Dataloss DB

records from this breach used in our total: 1,100,000

Breach Total

815,842,526 RECORDS BREACHED(Please see explanation about this total.)from 4,489 DATA BREACHES made public since 2005